AWS Identity and Access Management (IAM) and AWS Security Token Service (STS) have quotas that limit the size of objects. This affects how you name an object, the number of objects you can create, and the number of characters you can use when you pass an object.
IAM name requirementsIAM names have the following requirements and restrictions:
Policy documents can contain only the following Unicode characters: horizontal tab (U+0009), linefeed (U+000A), carriage return (U+000D), and characters in the range U+0020 to U+00FF.
Names of users, groups, roles, policies, instance profiles, server certificates, and paths must be alphanumeric, including the following common characters: plus (+), equals (=), comma (,), period (.), at (@), underscore (_), and hyphen (-). Path names must begin and end with a forward slash (/).
Names of users, groups, roles, and instance profiles must be unique within the account. They arenât distinguished by case, for example, you can't create groups named both ADMINS and admins.
The external ID value that a third party uses to assume a role must have a minimum of 2 characters and a maximum of 1,224 characters. The value must be alphanumeric without white space. It can also include the following symbols: plus (+), equal (=), comma (,), period (.), at (@), colon (:), forward slash (/), and hyphen (-). For more information about the external ID, see Access to AWS accounts owned by third parties.
Policy names for inline policies must be unique to the user, group, or role they're embedded in. The names can contain any Basic Latin (ASCII) characters except for the following reserved characters: backward slash (\), forward slash (/), asterisk (*), question mark (?), and white space. These characters are reserved according to RFC 3986, section 2.2.
User passwords (login profiles) can contain any Basic Latin (ASCII) characters.
AWS account ID aliases must be unique across AWS products, and must be alphanumeric following DNS naming conventions. An alias must be lowercase, it must not start or end with a hyphen, it can't contain two consecutive hyphens, and it can't be a 12-digit number.
For a list of Basic Latin (ASCII) characters, go to the Library of Congress Basic Latin (ASCII) Code Table.
IAM object quotasQuotas, also referred to as limits in AWS, are the maximum values for the resources, actions, and items in your AWS account. Use Service Quotas to manage your IAM quotas.
For the list of IAM service endpoints and service quotas, see AWS Identity and Access Management endpoints and quotas in the AWS General Reference.
To request a quota increase
Follow the sign-in procedure appropriate to your user type as described in the topic How to sign in to AWS in the AWS Sign-In User Guide to sign in to the AWS Management Console.
Open the Service Quotas console.
In the navigation pane, choose AWS services.
On the navigation bar, choose the US East (N. Virginia) Region. Then search for IAM.
Choose AWS Identity and Access Management (IAM), choose a quota, and follow the directions to request a quota increase.
For more information, see Requesting a Quota Increase in the Service Quotas User Guide.
To see an example of how to request an IAM quota increase using the Service Quotas console, watch the following video.
You can request an increase to default quotas for adjustable IAM quotas. Requests up to the maximum quota are automatically approved and completed within a few minutes.
The following table lists the resources for which quota increases area can be automatically approved.
Resource Default quota Maximum quota Customer managed policies per account 1500 5000 Groups per account 300 500 Instance profiles per account 1000 5000 Managed policies per role 10 20 Managed policies per user 10 20 Managed policies per group 10 10 Role trust policy length 2048 characters 4096 characters Roles per account 1000 5000 Server certificates per account 20 1000 IAM Access Analyzer quotasFor the list of IAM Access Analyzer service endpoints and service quotas, see IAM Access Analyzer endpoints and quotas in the AWS General Reference.
IAM Roles Anywhere quotasFor the list of IAM Roles Anywhere service endpoints and service quotas, see AWS Identity and Access Management Roles Anywhere endpoints and quotas in the AWS General Reference.
STS request quotasThe AWS Security Token Service (AWS STS) enforces the following request quotas.
For AWS STS requests made using AWS credentials, the default request quota is 600 requests per second, per account, per Region. The following AWS STS operations share this quota:
AssumeRole
DecodeAuthorizationMessage
GetAccessKeyInfo
GetCallerIdentity
GetFederationToken
GetSessionToken
Requests to AWS STS by AWS service principals, such as those used to assume roles for use with an AWS service, do not consume STS request per second quota in your accounts.
For example, if an AWS account makes 100 GetCallerIdentity requests per second and 100 AssumeRole calls per second in the same region, that account is consuming 200 of its available 600 STS requests per second for that region.
For cross-account AssumeRole requests, only the account making the AssumeRole request impacts the STS quota. The target account does not have any of itâs quota consumed.
To request an increase to STS request quotas, please open a ticket with AWS support.
NoteWith the upcoming changes to the AWS STS global endpoint (https://sts.amazonaws.com), requests to the global endpoint will not share a requests per second (RPS) quota with AWS STS Regional endpoints in Regions that are enabled by default. When a request to the AWS STS global endpoint originates from a single Region, it will count against the global endpoint's RPS quota. However, when requests come from multiple Regions, each additional Region will receive its own independent RPS quota. For more information about the AWS STS global endpoint changes, see AWS STS global endpoint changes.
The following are the maximum character counts and size limits for IAM and AWS STS. You can't request an increase for the following limits.
Description Limit Alias for an AWS account ID 3â63 characters For inline policies You can add as many inline policies as you want to an IAM user, role, or group. But the total aggregate policy size (the sum size of all inline policies) per entity can't exceed the following limits:User policy size can't exceed 2,048 characters.
Role policy size can't exceed 10,240 characters.
Group policy size can't exceed 5,120 characters.
IAM doesn't count white space when calculating the size of a policy against these limits.
For managed policiesThe size of each managed policy can't exceed 6,144 characters.
IAM doesn't count white space when calculating the size of a policy against this limit.
Group name 128 characters Instance profile name 128 characters Password for a login profile 1â128 characters Path 512 characters Policy name 128 characters Role name 64 characters ImportantIf you intend to use a role with the Switch Role feature in the AWS Management Console, then the combined Path and RoleName can't exceed 64 characters.
12 hours
When you assume a role from the AWS CLI or API, you can use the duration-seconds CLI parameter or the DurationSeconds API parameter to request a longer role session. You can specify a value from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which can range 1â12 hours. If you don't specify a value for the DurationSeconds parameter, your security credentials are valid for one hour. IAM users who switch roles in the console are granted the maximum session duration, or the remaining time in the user's session, whichever is less. The maximum session duration setting doesn't limit sessions assumed by AWS services. To learn how to view the maximum value for your role, see Update the maximum session duration for a role.
The size of the passed JSON policy document and all passed managed policy ARN characters combined can't exceed 2,048 characters.
You can pass a maximum of 10 managed policy ARNs when you create a session.
You can pass only one JSON policy document when you programmatically create a temporary session for a role or AWS STS federated user principal.
Additionally, an AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
We recommend that you pass session policies using the AWS CLI or AWS API. The AWS Management Console might add additional console session information to the packed policy.
Session tags must meet the tag key limit of 128 characters and the tag value limit of 256 characters.
You can pass up to 50 session tags.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. You can pass session tags using the AWS CLI or AWS API. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
This character limit applies to assume-role-with-saml CLI or AssumeRoleWithSAML API operation.
This character limit applies to tags on IAM resources and session tags.
Tag value 256 charactersThis character limit applies to tags on IAM resources and session tags.
Tag values can be empty which means tag values can have a length of 0 characters.
Unique IDs created by IAM
128 characters. For example:
User IDs that begin with AIDA
Group IDs that begin with AGPA
Role IDs that begin with AROA
Managed policy IDs that begin with ANPA
Server certificate IDs that begin with ASCA
This isn't intended to be an exhaustive list, nor is it a guarantee that IDs of a certain type begin only with the specified letter combination.
User name 64 charactersRetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4